[Swan] Multiple devices behind single NAT IP
Mike C
smith.not.western at gmail.com
Mon Jul 29 21:25:01 EEST 2013
Hi,
Is there a recommended approach to run multiple openswan clients behind the
same NAT IP? My scenario in particular is multiple 3G devices behind the
same ISP CG-NAT IP (unfortunately).
I found a reference to something possibly related about NAT roadwarriors
and a big change to support them in Openswan 3.0 (this was back in 2006:
http://comments.gmane.org/gmane.network.openswan.user/8707 ).
I've been testing today with libreswan 3.3 on the clients and 3.5 on the
server. It appears that multiple ipsec devices behind a single NAT IP
doesn't work well. Maybe it shouldn't work at all?
My environment: VPNs are using PSKs and symbolic peer ids. Connections are
initiated by the client side only.
Server:
Linux Libreswan 3.5 (netkey) on 3.9.3-x86-linode (also tested with 3.3).
@router1: 69.x.x.x WAN, 192.168.55.254/24 LAN
Clients:
Linux Libreswan 3.3 (netkey) on 3.9.5-301.fc19.x86_64
@router2: 10.211.55.40 WAN, 192.168.22.254/24 LAN
@router3: 10.211.55.41 WAN, 192.168.33.254/24 LAN
Upstream IP for both: 2.x.x.x.
I find that the connection works for both only if I the tunnel for a single
router first, then the next. So add @router2 to the server, connect it,
then add @router3 and connect it. If I don't do this, the server tries to
associate the packets with the wrong tunnel (logs for 3.3 libreswan on
server showed this, not seeing any debug logs on 3.5 but assume the same).
Server conf file (I can provide the full ipsec.conf for each end if useful):
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
uniqueids=yes
conn routers-12
left=69.x.x.x
leftsubnet=192.168.55.0/24
leftnexthop=%defaultroute
leftsourceip=192.168.55.254
leftid=@router1
right=2.x.x.x
rightsubnet=192.168.22.0/24
rightid=@router2
keyingtries=%forever
forceencaps=yes
nat_keepalive=yes
dpddelay=30
dpdtimeout=120
dpdaction=restart_by_peer
authby=secret
conn routers-13
left=69.x.x.x
leftsubnet=192.168.55.0/24
leftnexthop=%defaultroute
leftsourceip=192.168.55.254
leftid=@router1
right=2.x.x.x
rightsubnet=192.168.33.0/24
rightid=@router3
keyingtries=%forever
forceencaps=yes
nat_keepalive=yes
dpddelay=30
dpdtimeout=120
dpdaction=restart_by_peer
authby=secret
Kind Regards,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130729/68362c68/attachment.html>
More information about the Swan
mailing list